yes that is true. I believe MWG will tell the browser that we support "Negotiate" and "Basic" as methods to authenticate. The browser will pick the strongest one (Negotiate) and fail to do basic. If I remember correctly it is required to use the "Authentication.ClearMethodList" Event to clear out the offered methods to the browser, so that the browser will use basic.

I think we have an example rule set somewhere, I will see if I can find it.

basically the rules look OK for me. I am curious about the "from time to time" statement. Does this mean that the error pops up randomly? Is there anything you can point out when the issue occurs or can you reliably replicate the issue when you do a specific action?

I would assume that when the rule works for most request the rule should be correct. If you can try you could move the additional rule that looks up the group membership and place it to a separate rule set which you call once authentication is provided.

Does the issue occur with the additional rule disabled?

For me it sounds like there is maybe a problem for MWG when trying to check the credentials against kerberos/the LDAP server (looks like a sporadic issue). Maybe a deeper analysis is required, so I recommend to file a service request (if not already done) and provide them with a feedback and some packet captures which show the issue. Support should then be able to clearly point out what is going wrong.